GET / HTTP/1.1
Host: foo.com
Trailers: X-trailer
X-trailer: foo
It's unclear from RFC how to treat trailers in requests w/o body, so this may potentially open HTTP headers smuggling attack vector. It's also unclear why a client may send such requests. I don't remember any such attacks, so low priority.
Scope
We should drop such requests and increment a security counter. It seems Trailers header must be made special for quick check for the header and empty body.
Testing
Create an appropriate test to a task for the test.
Motivation
We allow requests like:
It's unclear from RFC how to treat trailers in requests w/o body, so this may potentially open HTTP headers smuggling attack vector. It's also unclear why a client may send such requests. I don't remember any such attacks, so low priority.
Scope
We should drop such requests and increment a security counter. It seems
Trailersheader must be made special for quick check for the header and empty body.Testing
Create an appropriate test to a task for the test.
Documentation
No documentation is required.